搭建节点
cat << 'EOF' > deploy_pure_reality.sh
#!/bin/bash
# 1. 基础环境准备与检测
echo "=====> 1. 正在更新系统组件并安装必要工具..."
sudo apt-get update && sudo apt-get install -y curl openssl uuid-runtime jq
# 2. 安装官方最新内核
echo "=====> 2. 正在通过官方脚本安装..."
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
# 3. 动态生成完全随机且唯一的密钥材料
echo "=====> 3. 正在生成专属密钥材料..."
UUID=$(uuidgen)
SHORT_ID=$(openssl rand -hex 8)
# 调用 生成 x25519 密钥对
KEYPAIR=$(xray x25519)
PRIVATE_KEY=$(echo "$KEYPAIR" | sed -n 's/PrivateKey: //p')
PUBLIC_KEY=$(echo "$KEYPAIR" | sed -n 's/Password (PublicKey): //p')
# 4. 写入服务端 config.json (纯净 Reality,拒绝本地回落陷阱)
echo "=====> 4. 正在配置 服务端 规则..."
sudo mkdir -p /usr/local/etc/xray
sudo cat << XRAY_EOF > /usr/local/etc/xray/config.json
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "${UUID}",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"xver": 0,
"show": false,
"dest": "www.apple.com:443",
"serverNames": [
"www.apple.com"
],
"privateKey": "${PRIVATE_KEY}",
"shortIds": [
"${SHORT_ID}"
],
"fingerprint": "chrome"
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
XRAY_EOF
# 5. 注入高性能 BBR 与内核网络栈优化参数
echo "=====> 5. 正在强推内核油门 (开启 BBR + 优化网络栈缓冲)..."
sudo cat << BBR_EOF >> /etc/sysctl.conf
# 自建节点满血网络优化
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_mtu_probing=1
net.core.somaxconn=65535
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_tw_reuse=1
BBR_EOF
# 让内核参数立即生效
sudo sysctl -p
# 6. 重启服务
echo "=====> 6. 正在启动服务..."
sudo systemctl daemon-reload
sudo systemctl restart xray
sudo systemctl enable xray
# 7. 生成供本地直接复制粘贴的 proxies 配置
echo "===================================================="
echo "🎉 恭喜!服务端节点已部署完毕并进入满血状态!"
echo "===================================================="
echo "👇 请直接复制以下内容替换你本地的 proxies 项:"
echo ""
echo "proxies:"
echo " - name: \"自建满血节点\""
echo " type: vless"
echo " server: $(curl -s ifconfig.me)"
echo " port: 443"
echo " uuid: ${UUID}"
echo " network: tcp"
echo " udp: true"
echo " tls: true"
echo " flow: xtls-rprx-vision"
echo " servername: www.apple.com"
echo " reality-opts:"
echo " public-key: ${PUBLIC_KEY}"
echo " short-id: ${SHORT_ID}"
echo " client-fingerprint: chrome"
echo "===================================================="
EOF
赋予执行权限并运行脚本
chmod +x deploy_pure_reality.sh
sudo ./deploy_pure_reality.sh
SSH端口修改
安全起见更改ssh端口
sudo echo "Port 45563" >> /etc/ssh/sshd_config
更改Socket文件配置
vim /etc/systemd/system/ssh.service.requires/ssh.socket
修改ListenStream=0.0.0.0:45563
重启服务
sudo systemctl restart sshd.service
更改ssh密钥访问,首先推公钥ssh-copy-id user@remote_host
# /etc/ssh/sshd_config
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password
安全加固(节点部署后必做)
1. 安装 fail2ban — SSH爆破防御
# 安装
sudo apt install -y fail2ban
# 配置(修改port为你的实际SSH端口)
sudo cat > /etc/fail2ban/jail.local << 'CONF'
[DEFAULT]
bantime = 3600 # 封禁时长1小时
findtime = 600 # 检测窗口10分钟
maxretry = 5 # 5次失败封禁
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
port = 45563 # 改为你的SSH端口
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
bantime = 3600
findtime = 600
CONF
# 重启生效
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
# 验证
sudo fail2ban-client status sshd
2. 安装自动安全更新
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# 验证
sudo systemctl status unattended-upgrades
3. 内核安全参数加固
sudo cat > /etc/sysctl.d/99-security.conf << 'SYSCTL'
# ---- 网络层安全防护 ----
net.ipv4.tcp_syncookies=1 # SYN Flood防护
net.ipv4.conf.all.rp_filter=1 # IP源地址伪造防护
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_source_route=0 # 禁用源路由
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.log_martians=1 # 记录异常IP包
net.ipv4.conf.default.log_martians=1
net.ipv4.icmp_echo_ignore_broadcasts=1 # Smurf攻击防护
net.ipv4.icmp_ignore_bogus_error_responses=1 # 忽略伪造ICMP错误
# ---- ICMP重定向防护 ----
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
# ---- 地址随机化 ----
kernel.randomize_va_space=2 # 全量ASLR
SYSCTL
# 立即生效
sudo sysctl -p /etc/sysctl.d/99-security.conf
4. 防火墙配置(UFW)
# 启用UFW
sudo ufw enable
# 放行必要端口
sudo ufw allow 45563/tcp # SSH(改为你的端口)
sudo ufw allow 443/tcp # Xray
# 默认入站拒绝,出站允许
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 验证
sudo ufw status verbose
写在最后
节点部署容易,维护才是关键。以上安全加固步骤请在每台服务器部署完毕后立即执行,可以有效抵御自动化扫描和SSH爆破攻击。
建议在日常运维中:
- 定期检查 xray 运行状态:
systemctl status xray - 查看 fail2ban 封禁记录:
fail2ban-client status sshd - 检查安全更新:
apt list --upgradable 2>/dev/null | grep security - 审计登录记录:
last、grep "Failed password" /var/log/auth.log
评论 (0)
暂无评论,快来抢沙发吧!